70. Unlicensed and Dangerous: The IT Industry Secret That's Putting Your Business at Risk - with Robert Cioffi
Justin Shelley (00:00)
Welcome everybody to episode 70 of Unhacked. We're here to help business owners protect their organizations from game-ending cybercrime from our infamous friendly Russian hackers. ⁓ I'm Justin Shelley, CEO of Phoenix IT Advisors. We help businesses build wealth, protect that wealth from Russian hackers, government fines and penalties, and class action lawsuits. And, ⁓ you know, we're going to run around the room here, do a couple of quick introductions, and we'll save our surprise guest for last.
Brian, tell everybody who you are, what you do and who you do it for.
Bryan Lachapelle (00:33)
Thank you, Justin. My name is Brian Lashford with B4 Networks, based out of beautiful Niagara, Ontario, Canada. And we provide, we help business owners remove the frustrations and ⁓ problems that come with dealing with technology, including cybersecurity and just in general help desk and various things like that.
Justin Shelley (00:51)
All right, Mario, same question.
Mario Zaki (00:54)
Very similar answer. Mario Zaki, CEO of Mastek IT, located in beautiful New Jersey. ⁓ I'm probably the first person to say that, but ⁓ we've been in business for 21 years helping IT companies stay secure and specializing in having business owners be able to sleep better at night.
Bryan Lachapelle (01:04)
Yeah.
Justin Shelley (01:04)
Mm-hmm.
Excellent. And guys, we have a first ever in the history of the Unhacked podcast. We have a guest returning back for the third time today. ⁓ Robert, Robert Choffee. Did I even come close on the
Robert Cioffi (01:24)
Wow. Who's that?
Yeah, you came
extra you pass the telemarketing call screening test, not my name. That's the Americanized version of it, which is damn close enough. So if we were in Italy, you would say choffee, but I'm not going to penalize you for not enunciating in Italian correctly. So choffee is fine.
Bryan Lachapelle (01:33)
You
Justin Shelley (01:38)
Right.
Bryan Lachapelle (01:43)
fee.
Justin Shelley (01:48)
Well, my real problem,
I have a little bit of background in the Espanol and it's just close enough that it screws me up. So, okay. Okay. Let's, okay. This whole episode has just been transferred into Spanish. Bienvenidos todos. Podcast Unhacked. Okay. Let's, let's cut this shit. ⁓ Listen, Robert, ⁓ you are here A because
Robert Cioffi (01:56)
I Spanish too. Of course I
you
Mario Zaki (02:04)
Yeah
Bryan Lachapelle (02:09)
I'm
Justin Shelley (02:15)
You are, you are probably one of the, ⁓ and I hate to say this, but I am going to the most experienced people that I know in my circle in the world of cyber crime. and unfortunately that experience didn't come in the best of ways. Still here you are as, as an industry leader easily. Right.
Robert Cioffi (02:35)
Hey,
you can knock me down, but I keep getting back up. and yeah, since our event, our large event four years ago, I've had the experience of being involved in several other cases, both here within our MSP, as well as helping other MSPs navigate cyber crime attacks against either them or their clients.
Justin Shelley (03:00)
You know, one of the things I like to tell people is that I got into the world of technology because I like to install sound cards and rip out circuit boards and, plug in cables on my Apple two E back in the day, writing the code. I loved writing code. My friends would be playing their little video games. I'm like, that. I'm, writing code. I'm going to make the video game that you play. ⁓ and then against my will, it turned into a world where I am in literal hand to hand combat with Russian hackers. That is my back, my story. My story is not nearly as a.
Robert Cioffi (03:09)
code.
Yep, me too.
Bryan Lachapelle (03:18)
Yeah.
Robert Cioffi (03:26)
Yep.
Justin Shelley (03:29)
intense as yours, but I fought Russian hackers in what I call hand to hand combat. Now your situation appears to have escalated since we spoke last. And when I say hand to hand combat, I'm being figurative, right? Yours went literal. I see the scar on your face. Tell me what's going on.
Robert Cioffi (03:41)
Yes.
that's just ⁓ a little ⁓ dermatological issue that I had and ⁓ no, no, I want to tell a story about I mean, even I have this on my hand about what the other guy looks like. But ⁓ actually, this was from boxing. ⁓ But no, I can't say that ⁓ I got into an actual scrape. ⁓ But yeah, it's just an odd little thing I got going on here. But don't
Justin Shelley (03:51)
it's not a Russian hacker? ⁓ okay, okay.
I know you got the
Bryan Lachapelle (03:59)
You
Robert Cioffi (04:12)
you know, if it helps with the storytelling, yeah, I got into a fight with somebody and you should see him.
Justin Shelley (04:16)
Okay. Thank you. Cause I'm like, where are we going to go now? The whole, the
whole timeline for the whole podcast episode just got, ⁓ it's gone. It's gone. I've thanks everybody for joining us. We'll see you next week. All right, guys, let's, ⁓ take two at trying to get down to business here. ⁓ we have, and we've mentioned this before, we're going to do a little bit of a deep dive on it today. We are one of the very few industries.
Bryan Lachapelle (04:23)
It's all gone.
Mario Zaki (04:24)
You
Robert Cioffi (04:27)
You're welcome.
Mario Zaki (04:29)
You
⁓
Robert Cioffi (04:35)
That's good.
Justin Shelley (04:45)
that can have such an impact on, on people's businesses, their livelihood that, ⁓ well, I'm just going to ask the question, what does it take? I, if I want to start an MSP, if I want to, let's go like MSSP security expert. I am the best in the world at cybersecurity protecting your business from the hackers and, and, you know, the hacks up. What is it? What is the, ⁓ what's the qualifications that guys, what's it take?
Robert Cioffi (05:19)
I have the definition. ⁓ If I have a smidgen more experience or knowledge than you and you have a checkbook, a transaction is born.
Justin Shelley (05:20)
Okay, hit us.
Yeah, well said, well said. And now guys, take a look at those of you that are watching the video. There's only 50 % of us here that have hair. But the two of us, the 50 % who don't, I cannot go pay somebody to polish my bald dome without a license. They have to have a license, right? To cut this absolute, you can't screw this up, but I can't pay them. They can't charge me to cut it.
Bryan Lachapelle (05:31)
That's pretty much the truth. Yeah. Yeah.
Robert Cioffi (05:55)
Yes?
Justin Shelley (06:01)
to shave it, to polish it without a license yet here we sit. and I mean, we'll, we'll come back to it, but I've got a horror story. actually talked about it last week and we'll, dip into that as well. But, it's an unregulated, unregulated industry. Robert, you said the wild, wild West. I've used that phrase before in the past. ⁓ let's just kind of break this down and, and we're going to kind of hit it in three, three areas. We've got, what are the ramifications for our clients? The buyer of it services.
What are the ramifications for us? The ones who are hopefully legitimate, but prove it ⁓ as, as service providers. And then what's the answer to all this? So guys, I'm just going to turn this loose. It's an open floor. Let's break it down. Let's talk about our clients first. Okay. Brian's got all the answers as he missed, tried to kill a mosquito and missed. All right, Brian.
Robert Cioffi (06:49)
killing flies.
Bryan Lachapelle (06:55)
I don't even know where it came from. It's so cold outside. Where are the flies coming from?
Justin Shelley (06:57)
Get it together over there. Get it together.
Mario Zaki (07:00)
So the thing is with the matter if a company is outsourcing it to an MSSP, an MSP or even bring it in the house, it really just it's like what you know, can you connect a computer to a network? Can you monitor this? you do, know, help a printer get installed correctly on, you know, 50 computers, you know, without taking forever? And it just
really experience, like even when we hire technicians, I'm not necessarily seeing looking at like where they went to college and how they went, you know, how they graduated highest in their class and stuff like that. I'm like, all right, did you work somewhere else? How long did you work for? Give me some examples of like, you know, messed up tickets that you had to that you resolved, you know, obviously there's a couple more questions that we ask, but pretty much that's what it takes. It's just if you've been around the block.
You qualify, you know, start on Monday.
You know, and the problem is like for our customers is they can't or not just our customers, but any companies that they, they can't really point to a certain direction. Well, you know, some people say, well, are you Microsoft certified? Are you, you know, Cisco certified? You know, that helps, but you don't necessarily like, don't, we don't need to be Cisco certified if we're not working with any Cisco equipment. You know, obviously Microsoft yes, but you don't even need.
Robert Cioffi (08:26)
Yeah.
Mario Zaki (08:31)
to be Microsoft certified to work on it, install it, even call support for it.
Robert Cioffi (08:39)
Those
certifications, Mario, those are very product specific, right? That's a manufacturer certifying that you know how to do, or at least textbook wise know how to do the things with that product the way it was designed. But what is ⁓ sorely missing is the theoretical knowledge, the methodologies, a lot of the things that I learned, dare I say, in my computer information science degree.
⁓ you know, the theory behind computer science and working in this business is what's grossly absent from when I wave around my Microsoft, flag or my Cisco, ⁓ you know, piece of paper, because that doesn't really speak to, ⁓ your ability as a practitioner to drive solutions for your client. All it means is I, I passed a test that says I have product knowledge.
Justin Shelley (09:36)
Right. Unlike the construction industry, for example, you've got to pass tests, but you also have to demonstrate actual in the trenches knowledge experience. ⁓ so again, I'm going to ask, what does this mean for our clients? Let's put ourselves in the buyer situation. We have to buy managed services. We've got a business. We've done everything. We poured our entire lives, our souls, our hearts into our business. And we built this thing and it takes, we say it all the time. It takes one click to annihilate the entire thing.
And I've got to go out and I've got to make a purchase decision on who's going to protect me from the absolute nightmare that is the world of technology.
Robert Cioffi (10:15)
think you got to start there, Justin, it's in the decision making and the market confusion. ⁓ I've wondered sometimes how does my prospect properly weigh us against some of our competitors, which are good, and some of our competitors, are, you know, there's zero comparison. How do they do that homework? How do they make those judgment calls and
So that's the first ramification is the market confusion. ⁓ And I don't mean to be too judgmental here, but there is a segment of our so-called competition, which are bottom feeders. shouldn't be in this business. They don't know what they're doing. They're dangerous. And what's worse is they're not charging anywhere near the same amount of money that we are because they're horrible business people. So that's the confusion it creates. Why would I use
Robert or Mario or Justin or or Brian or anybody else that is smart enough to do this job properly. But their price is four times as expensive. Like, why would I pay all that extra money? Right. I need a Toyota. I don't need a BMW. And so they're thinking they're still going to get the same or similar value, but they're not.
Justin Shelley (11:30)
A Toyota, right?
No, they're, getting a broken down bicycle at best. And, and Robert, so I'm going to quickly talk about what I, you know, we did a whole episode last week about this, but I'm trying to work with a client, a prospective client who was previously paying $2,000 a month. And, and as soon as I heard that I'm like, well, there's your problem. You're being grossly underserved. Before you say another word, I know that, because they had like,
Bryan Lachapelle (11:34)
Yeah.
Justin Shelley (12:00)
you know, 34 computers. ⁓ but as I, the, the deeper, right. But so I'm at pop quiz Robert in that information that I've given you so far, what would you expect to be verifiable as a delivered service at $2,000 a month? I'm paying $2,000 a month. I'm your client or your prospect. ⁓ what would you tell me I'm getting?
Robert Cioffi (12:02)
Yeah, it's way too low
⁓ For 34 users, you're not getting anything from us because I'm not touching you at that price for that amount of users because I don't.
Bryan Lachapelle (12:30)
Hahaha ⁓
Justin Shelley (12:32)
But a competitor, let's
Mario Zaki (12:32)
You
Justin Shelley (12:33)
say you're going into this and you see somebody else getting charged two grand a month, they've got 34 computers. What would you expect to find when you do your discovery?
Robert Cioffi (12:37)
Yeah.
I would expect they're doing some just very basic monitoring and like there's no proactivity. There's no strategic services. There's there's none of that. I mean, and if I'm doing an audit, I'm going to expect to find a nightmare. Right. I was going to say some other word. ⁓ A bad word show, right? All right. All right. Fuck it.
Justin Shelley (13:02)
shit show. We swear on here, Robert, we swear on here. Let me. There
Mario Zaki (13:02)
Choo-choo.
Robert Cioffi (13:09)
I'm going to find a show,
Mario Zaki (13:10)
you
Justin Shelley (13:10)
you go. There we go. Now we're talking and and
Bryan Lachapelle (13:12)
Now you got
it.
Robert Cioffi (13:14)
right? I'm going to find a mess. likely my ops team is going to hate me for bringing that account on board unless it comes with a upfront steady state project to correct all of the problems caused by the prior provider.
Bryan Lachapelle (13:16)
Right.
Justin Shelley (13:31)
So you're dead on what I found was nothing. found, I did find an RMM. And I'll say the vendor. Correct. Zero. They're $2,000. You may as well like take that in cash out of the bank and light it on fire because as I said last week, at least then, you know, absolutely you're getting nothing because the bigger problem is they're writing a check thinking they're getting something. They had on-prem servers running SQL server plus their management software. Everything of their business lives on these two servers.
Robert Cioffi (13:35)
What? you found nothing as in like there's nothing being done. Yeah, yeah.
Something, yeah.
Justin Shelley (14:01)
with active directory errors, no antivirus of any sort, no verifiable backup, ⁓ nothing. They had nothing going on. It was an absolute unmitigated disaster.
Robert Cioffi (14:13)
That was a different kind of crime.
Bryan Lachapelle (14:15)
Yeah, yeah. And therein lies the problem with a lot of these, like, going back to the original question, what does it look like for the client? They literally have no idea what to look for. They, ⁓ in a lot of cases, assume, like all the other licensed professions, that we are a licensed profession. They assume we are, and they just assume everybody who has a sign on their door saying they can do cybersecurity and IT
Justin Shelley (14:15)
Yeah, tell me about it.
Mario Zaki (14:16)
Ha
Bryan Lachapelle (14:42)
are qualified to do that and the reality is that they aren't. So going back to the original question, what does it look like for the client? It's a disaster, complete 100 % disaster. They don't know what to look for.
Mario Zaki (14:54)
Well, know the thing is, sorry Justin, go ahead. So the one thing too, if you guys remember back in April when we were together, ⁓ there was, you know, we were part of a marketing group and one of the things that they had on the screen was when a prospect is looking for a new IT company, what's the number one thing that they're checking for? And they're not checking for any like type of certification or experience or anything like that. Their number one criteria
Justin Shelley (14:54)
And they can go ahead. Now you're up.
Bryan Lachapelle (15:16)
yeah.
Mario Zaki (15:22)
And it was like way number one was response time. How fast can they pick up their phone or reply to my email? That's how they're judging if you're a good IT company or not. Now, granted, this is very important. You don't want to wait four days to call somebody back, but that shouldn't be the number one criteria of picking an IT company. Am I right?
Bryan Lachapelle (15:26)
fast can they get back to me.
Justin Shelley (15:47)
It shouldn't
be, but let me, let me spin this another way. It also is very telling about an MSP. If they are not responding quickly, there are deeper problems. You're looking at the tip of the iceberg, but it is telling.
Robert Cioffi (16:03)
So it's symptomatic, it's not really at the issue, but I agree with you, Justin. If you have poor response times, then it's likely gonna be a lot worse underneath the covers.
Justin Shelley (16:15)
Yeah. It's cause they're just, they're reacting to every emergency. They're not, they're not solving any real problems. Right.
Robert Cioffi (16:20)
or they're understaffed ⁓ or
they just simply don't care. Maybe culturally they're like, yeah, we'll get to it when we get to it.
Justin Shelley (16:26)
And possibly, yeah. I'll be honest though. I've never met that technician. I've met a lot of stressed out IT guys that are frantically running around trying to, know, cause a ring in and, know, you get a lot of burnout. I'm not saying they don't exist. saying I haven't, I haven't worked with them. ⁓ That would be a new version of scary. Honestly. It was like, I don't give a fuck. Whatever. That's their problem. Not mine. Hopefully. I don't know. Okay. So any, any other ramifications for the client?
Any thoughts on that guys?
Robert Cioffi (16:58)
I mean, yeah, tons. They're putting their, ⁓ you know, they're putting their revenue, their profitability, their their livelihoods. They're putting their business at risk by ⁓ using an MSP without any good sort of criteria to judge us on, right, to evaluate us. Google reviews is not what you should be looking at because that's so easy to game. ⁓ A referral is pretty solid, but still. ⁓
I might still do that $2,000 a month service and actually not deliver any goods. But if I've got you fooled into thinking that I am, then you're still going to refer me. There's that underlying thing. know, Brian was kind of ⁓ hitting the nail on the head, think, earlier talking about ⁓ there's no certification to say that I'm an MSP or I'm an MSSP or whatever three or four letter acronyms you want to throw around.
Bryan Lachapelle (17:53)
Right.
Yeah. The danger too is that we talk about businesses if it's just profitability and potentially loss of business. The reality is, is there's a lot of businesses out there that are, they're responsible for national security, whether you're in Canada or the U.S. and they're dealing with MSPs and they're dealing with IT providers who can't keep them secure, which means that they're putting national security, they're intellectual property at risk, right? If you look at,
Robert Cioffi (18:12)
for sure.
Bryan Lachapelle (18:27)
back in time. And I don't have all the details, but Nortel was one of the biggest telecommunication firms in Canada, you know, the gem of Canada. And they went under because of a hacker, a hacker from China broke into their systems, how and where, and I don't have all the details, but they basically went under because all their information was stolen and where are they now? They don't exist. Right.
Justin Shelley (18:53)
Yeah.
Bryan Lachapelle (18:55)
Yeah.
Justin Shelley (18:57)
I know, I know. Listen, we're,
we're going to continue that. ⁓ I want to bring us down, you know how like in the military, they just beat you down to nothing so they can build you back up the right way. That is the goal today. ⁓ and, here's what I'm going to say about, it's going to kind of lead into our next point as Robert, you mentioned market confusion. ⁓ you know, you've got all this stuff out there. The, the buyer, although it is their job, it is their responsibility to understand that this
Bryan Lachapelle (19:02)
Yeah.
Right? Yeah.
Robert Cioffi (19:09)
Yes.
Justin Shelley (19:27)
enough to make intelligent decisions. If you're running a business, I've said this before, if you can't at least gather up enough knowledge to make intellectual decisions about, ⁓ it and about finance and about every other thing that you do, every other hat that you wear, you probably should find a different gig. Like you have to know this. There's, there's no free pass given here, but, this is the tragic part of it. Absent that knowledge, the number one determining factor in the decision is what
Cause you can't prove response time. Mario, that's a great point. That's what gets people unhappy with their current MSP, but they're buying criteria absent any real knowledge of the industry is what.
Robert Cioffi (20:05)
Unfortunately, it's price, not value. They should be focused on the value, right?
Justin Shelley (20:06)
Price, right?
Bryan Lachapelle (20:08)
every single time.
Justin Shelley (20:11)
So then they just keep, ⁓ yeah, it goes to the lower lowest bidder, which drives the problem even further underground, I are not underground, but like it, makes it worse. It exacerbates the problem. So, and that is my point. Like that's the ramification for us when we're trying to sell valuable, real managed services, the one I'm talking about, when I presented them with the initial price of what it would take. They're like all the blood drained out of their face. They're just, no, we can't do that.
And so then I'm like, okay, you you sign what I call an AMA form against medical advice, ⁓ that we're, we're not doing this, this, this, and this, and all kinds of strip things out so that we can give you something for your money. Cause that's better than what you're getting now. And I still can't get them to make a move. Like this is just insanity. So that I would argue as a ramification for us, but we're trying to deliver a service, you know, this, this group right here knows what they're doing. I can vouch for every single one of you. ⁓
But without that, mean, God, this just, this, makes such a mess for the client. So I'm going to punt that back out there. I said for the client, for us, I want to, I want to shift it a little bit. What does it do for us in trying to run legitimate business, deliver good service and actually protect our clients?
Bryan Lachapelle (21:28)
I can jump in there. What it's done for me is it has had to make me ⁓ better communicator to explain the value of what I bring to the table. And even then, my price is almost always higher, significantly higher than my competition. And so I'm having to explain why I'm willing to charge more or I have to charge more in order to not sacrifice service, right? And in...
A lot of the cases, if you were to compare what we're offering to what our competition is offering, it looks almost identical on a line by line basis. Here are the things that we're doing. But there's a lot under the hood that you know darn well that there's no way somebody can do what we do for half our price of whatever we're selling. Because there's not 50 % profit in this business. If there were, it'd be fantastic. We're not selling hot tubs here.
Justin Shelley (22:21)
right.
Bryan Lachapelle (22:27)
A 10 % discount is basically discounting 90 % of your profit or more, depending on the MSP.
Justin Shelley (22:31)
That's a good point. And I'm going to,
I want to pause you and dig into that. What is, if anybody's willing to say what their profit margin is, and if not, then let's talk about the industry average of a healthy IT company, MSP. What's a profit percentage, bottom line.
Robert Cioffi (22:45)
Well,
I can tell you I facilitate ⁓ Evolve peer groups and you know what SLI data will tell you is that best in class upper core tile of MSPs are in the, you know, let's just say the low 20s. just kind of spitballing here. Best in class, right? Now the bottom core tile ⁓ are either losing money or below like, let's say, 5%. ⁓ So that's 25 % of the market out there. So whether you're an MSP listening or
Mario Zaki (22:58)
Mm.
Justin Shelley (22:58)
Best in class, right? Right.
Bryan Lachapelle (23:00)
best, right?
Robert Cioffi (23:15)
You are a potential client for all four of us on this call or on this podcast. Think about it. If you've you know, if if you've spoken to four MSPs, chances are 25 % of them will be, you know, losing money or just barely making eat breaking even. And then the other 50 % is going to be between that, let's say, five and 15%, which, you know, is not a lot of ton of margin.
Justin Shelley (23:43)
Well, that's my point. So call it 10, right? Let's just average a healthy IT company. MSP is probably average is okay. Okay. The average MSP is probably bringing about 10 % to the bottom line. So if they tell you they can discount their services by 10%, they're now operating at zero.
Robert Cioffi (23:46)
Yeah.
Well, average, yeah. You said healthy, I'd say average, yeah. Okay.
Bryan Lachapelle (23:51)
I wouldn't say healthy, average.
Justin Shelley (24:07)
which in the world of finance means you're losing money. You don't get to operate at zero. It's not, you can't do it. It's like saying I can live on zero oxygen. You cannot.
Mario Zaki (24:11)
Yeah.
Bryan Lachapelle (24:12)
Yeah.
Yeah. Now I want to flip the script. Right. I was going to say, I want to flip the script. If you were going to see a medical practitioner and you knew that they were barely making ends meet, would you want them being the one to operate on you? I mean, like, what are they cutting back in order to provide it? Yeah. Right. So my argument has always been you want your service provider to make money. Like making money is not a swear word. You want them to make money because a healthy
Mario Zaki (24:16)
Which means they end up cutting corners somewhere. Sorry, Brian.
Justin Shelley (24:19)
100%.
Hell no, I'm walking out the door.
Robert Cioffi (24:30)
Yeah, because it's cheaper. It's cheaper.
Mario Zaki (24:32)
Anesthesia
⁓
Justin Shelley (24:34)
Yeah!
Absolutely.
Bryan Lachapelle (24:44)
MSP who's earning a good profit margin won't cut corners. They will have the surplus dollars to be able to do it the correct way. And if shit hits the fan, they'll have the financial resources to be able to course correct very quickly and weather that storm. Right?
Mario Zaki (25:05)
Yeah, and unfortunately, it also comes back to the customer because the customer, know, how many times have you sat with somebody that says, I don't know anything about what you guys are talking about or what is required, you know, certain industries, construction, you know, you have somebody following a blueprint, you know, like they look at the blueprint, here's the requirements, here's exactly what we need. Okay, to
Justin Shelley (25:28)
That was engineered
by a licensed engineer by law.
Mario Zaki (25:32)
Exactly. You then are bidding for the exact same thing. Everything is apples to apples. All right. Even if you're installing security cameras, we've bid on stuff and they says they want like unified cameras. They want, you know, cat six cabling. They want, you know, this type of patch panel. It's really just who want, you know, where you're fitting in and the bids are going to be very similar. But with IT, you know, we've seen people go up again. We've lost.
to people that have been charging like $20 a computer per month. And what are they getting for $20 a month? They're like, all right, well, Avast Free Antivirus. You're like, OK, that's what you want to go to. You almost want to just walk out of the room because they're like, oh, well, this guy is offering this for a fraction of the price.
Justin Shelley (26:06)
All right. Yeah.
Robert Cioffi (26:24)
Yeah, it's funny how some people, some prospects, and I don't mean to turn this sort of in a bitching session here, but there's a couple of prospects out there that you run into that talk out of both sides of their mouth. And what I mean by that is they will tell you, oh, I don't know what you guys do or what all of this stuff is, but let me tell you what I'm willing to pay for. And it's like, well, if you just admitted that you don't understand this stuff, how are you making a decision?
Mario Zaki (26:30)
You
Justin Shelley (26:37)
yeah.
Mm-hmm.
Robert Cioffi (26:53)
Can you please excuse yourself from the room and get somebody else in your company who is competent enough to make a good decision, give them the power of the checkbook pen and let them make the decision? Can I talk to them, not you, please? But it's infuriating sometimes that you're talking to somebody that they give you the Heisman, right? They don't wanna talk about that. They don't wanna talk anything remotely technological, right? And we're not talking about bits and bytes, we're talking about the...
Bryan Lachapelle (27:06)
Yeah
Justin Shelley (27:08)
It is.
Robert Cioffi (27:21)
the business of technology, and yet, like, they pretend that they're smarter than you when it comes to these decisions.
Justin Shelley (27:30)
I know. Yeah, yeah, that's a that's a classic. All right, guys. Any any other thoughts on what it does to our industry to us who are trying to provide a legitimate service in this unregulated world?
Bryan Lachapelle (27:42)
Well, I'll say one of the things that it does do is that because these ⁓ MSPs do exist that are subpar and aren't making money and are cutting a lot of corners, it gives the entire industry a bad name. When we hear of a potential person or a business who got hacked or these large companies who had an MSP who got breached, ⁓ if it was due to negligence, because there is a big difference
between somebody who got hacked not due to negligence and somebody who got hacked due to negligence. The reality is, is most businesses will get hacked at some point or another. And sometimes the best we can do is mitigate damage and reduce the impact. But when it's outright negligence, it gives the entire industry a bad name. And that makes prospects and businesses a lot more hesitant to move forward with other MSPs, knowing that when they do find out our industry is unregulated,
Justin Shelley (28:36)
Yeah, absolutely.
Bryan Lachapelle (28:41)
become weary of all of us.
Robert Cioffi (28:44)
I'll add one more thing, Justin, I'm sorry, Brian, you ⁓ alluded to a little bit of this earlier. To answer the question in a different way, Justin, of what is it doing to us? I think it's also creating opportunity. And so while I bitched a little bit about some of the things, you know, that I'm frustrated with, ⁓ looking at things in a more positive light, it's an opportunity for those of us that are somewhere at average or above
Bryan Lachapelle (28:58)
Hmm.
Robert Cioffi (29:13)
⁓ to say that this is a market differentiator, right? know, Brian spoke earlier about, hey, and I'm putting words in your mouth, like I offer a premium service and it comes at a premium price. So if you want to stop messing around, you want to use somebody like me. If you still want to get garbage service and pay nothing for it, then I'm not the guy for you, right? One of my friends in the industry, I think I can call them friends, ⁓ they had a marketing campaign, which I thought was brilliant.
They called themselves, we're number three. was this whole thing around a baseball theme of like, you know, the big foam hands instead of we're number one, we're number three. And the punchline there was, we're your third MSP. Cause the first one you had no idea what you were doing as a client and you pick somebody at random and they were really horrible. And then you learned some things and then you picked another one and they were better, but they still weren't that great. And then by the time you found me, I'm your third MSP. And now
You've got a little bit more experience on how to pick the right company. So there's an opportunity there is is is is my message that this is a way for you to be differentiated instead of us bellyaching, ⁓ you know, like frogs on a log complaining about what all the other frogs that don't know what they're doing or doing like they're messing the show. You know what? Let's rise above it. Let's let's figure out a way to differentiate. Let's figure out.
Justin Shelley (30:15)
Interesting. Yeah.
Bryan Lachapelle (30:25)
Yeah.
Robert Cioffi (30:40)
how to message, how to communicate better, right? I think Brian, I'm stealing some words from you again, but there's the opportunity.
Bryan Lachapelle (30:48)
Yeah, my favorite saying is I would rather explain my high prices once than my poor service for the rest of our relationship.
Mario Zaki (30:48)
No.
Robert Cioffi (30:54)
That's
awesome. I love that.
Justin Shelley (30:55)
Yeah, yeah.
All right.
Bryan Lachapelle (30:56)
Yeah. So.
Mario Zaki (30:57)
And you know,
the thing is we've said it so many times on the show that you know sometimes you just need somebody to come in do a security network assessment and see You know what you're not getting or what you're paying for and not getting pointed out and if You know I can say for everybody in this room that if we are pointing it out and we see it we can fix it
you know, where the other people that probably don't even know it even exists. You know, so it does. So I do agree with Robert. Sometimes it creates an opportunity to educate the customer. And when you educate them, you earn their trust and you're, you're able to build a good relationship from there.
Bryan Lachapelle (31:32)
100%.
Justin Shelley (31:41)
Yeah. The, the, again, the tragic part of this is you don't change MSPs very often as, as a business, you don't make this change very often. You hold onto what you've got for way too long to that MSP. Number one, who's giving you terrible service. And then something happens, maybe call it slow response times. And so you go and you find somebody else, you make that painful change. And then, ⁓ unfortunately, by the time you get to number three,
It's probably because you've dealt with a combination of bad services and, a breach. my goal, I would love to be able to do this for all prospects. Everybody listening is to avoid those painful transitions, make an educated transition instead. Don't wait until you've been burned. And, and now I'm going to pivot to what's the answer. How can we help ⁓ educate the buyer right now so that they don't have to deal with.
shitty service and they don't have to deal with Russian hackers and God forbid a breach that leads to government fines and penalties and is followed up by a class action lawsuit. Let's not go there. Guys, how can we help people avoid this absolute nightmare that is theirs unless they take action?
Mario Zaki (33:02)
Well, you can start by, if your MSP is not doing this already, set up a quarterly or at least every six month meeting and have them present to you what they're doing. Have them go over a strategic business review of what they've done for you within the last three months, show you a backup report. They should be sending you a backup report at least weekly. ⁓
have them give you a list of all the computers that they're managing, know, the latest, at least, antivirus report, incident report, know, patch report. Have them give you something, you know, where you can at least be in the circle of understanding what you're paying them for, you know, because nobody, no MSP wants to ever hear, what are we paying you for, you know?
You want them to always be providing you that information. So that way, you know, if something is missed, you can at least have a conversation with them and say, Hey, you know, Bob, you know, we, you're, you're billing me for 19 computers, but by the way, we have 20. Is there a computer that you are not aware of? Because that computer that you're not aware of could be your weakest link. It may not have the proper protection on it. So be involved.
you know, with meetings and knowledge with what is being provided.
Bryan Lachapelle (34:33)
I'm going to go in a different tact and a different approach and say, and I mentioned this last week, if you can, if you can find an independent third party auditor that can audit your systems that isn't your MSP, so we work with a credit union and they have an independent auditor at least once a year, come in, do a complete analysis of the entire systems, networks, where the issues and where the things might be, hand over report, and then we work with them to mitigate.
the small few things that are there, but if there were glaring obvious problems, that would be an opportunity to have a deeper discussion. If you are able to get a third party independent assessment done on a regular, more regular basis, then the MSP and the auditor can work together to mitigate things a lot faster and a lot quicker. But that independent assessment in, depending on the industry, of course, if you're in a high risk industry, then having that independent auditor would
make a lot of sense if you're more just retail or business that might not have ⁓ that level of ⁓ capital to be able to outlay there. Maybe your MSP has an independent third person that they could use that will audit you. I know the three of us had ⁓ or do have a company we work with that will do an assessment and it's an independent assessment and we can sort of work with them to mitigate anything that is found.
But that's where I would go. If I were running a company that wasn't an MSP, I would want a third party doing that assessment.
Justin Shelley (36:02)
You're up, what do you got for us?
Robert Cioffi (36:03)
Well, warning signs to look for. And some of this is just repeating back what Brian and Mario touched on. But if your technology vendor provider is ⁓ only speaking tech, does not speak the language that you can understand, that's a warning sign to me. ⁓ If they ⁓ don't understand ⁓ how to run their own business, right? And there's a lot of different
ways that you can measure their operational maturity level in terms of, you know, listen, if the owner is showing up and turning the screwdriver for you all the time, it's very unlikely he's got time or she has got time to mind the store, right, and make sure that things are heading in the right direction. But I would also challenge an MSP, if I were a business owner shopping for one, to answer questions that they're ⁓ that they've probably have never been asked, like
What conferences do you go to? ⁓ Do you budget time and money for that? Who from your company goes? ⁓ What sort of frameworks or methodologies do you follow? What sort of industry standards? Can you explain that to me? If somebody asked me that question, I would talk about CIS controls. And even though that sounds scary, I would break it down for them about why that's a good framework for us to follow from a cybersecurity perspective. Other people might, you know,
Justin Shelley (37:02)
I like that.
Robert Cioffi (37:28)
Other technical people might argue with me on that. But those are the types of questions that an average small business owner should be asking and probing. Is this a sound company? Do they invest in their people? Do they invest in themselves? Can they run an operation? I mean, this is a critical part of my company, just like I would consider my accountant and my lawyer. Right. This isn't a critical part of my company. I like.
Who's running a business today where IT is not critical? And please don't tell me pizzerias, because even they rely on technology these days. you know, I would be, ⁓ how do you measure your own success and your own operational maturity, Mr. or Mrs. business owner, and then apply those same questions back to your potential IT provider to see, they, you know, do they pass that kind of sniff test?
Justin Shelley (38:05)
Yeah, there's not much out there.
Bryan Lachapelle (38:25)
like it. What metrics do you track? Yeah.
Justin Shelley (38:26)
And, and
Mario Zaki (38:27)
Very good.
Justin Shelley (38:29)
yeah, well, and I, I'll admit Robert, I'm sure I've told you before the first time we had you on the show, I asked you, what was your lesson learned from the nightmare that you dealt with? And it was a one word answer was frameworks. And that changed my life. not, I'm, I'm not exaggerating that everything I do now is based on frameworks. ⁓ And so that
Robert Cioffi (38:48)
Yeah, you have to listen.
And Justin, it's not it's not an insult towards you because it's the same towards me. It's like you're not the smartest person in the room. Right. Well, maybe this room. But overall, you're not the smartest like none of us are. So that's why industry standards are developed. Just like in other industries. That's why you build according to specifications. And you don't if you if I'm doing electrical work in my house, I must comply with the electrical code.
Justin Shelley (38:55)
Right.
Yeah.
Right.
Robert Cioffi (39:18)
There's a reason for that, because I don't want my house to burn down.
Justin Shelley (39:21)
Well, in that you've got an engineer, again, licensed, you've got the implementer, the construction, the contractor who does it. And then you've got a government official that comes in sniffing around inspecting it when it's done before it ever, ⁓ passes a sniff test. you know, all those things exist in so many other industries that we don't have here, but we can do that for our clients and for our prospects.
⁓ and frameworks is a great example. not saying it's the only one, but it is a great one where you can say there is a plan out there. It's published, it's peer reviewed, it's accepted by the industry. And that's what we follow. And here's how you measure up based on that. And if you're not using that, and I've said this before too, you better have your own internal set of standards that you have vetted and you've documented and that you can hold up against, you know, that you can show your prospects. and then in the end, and we're going to kind of wrap up here.
But I will say, I was, like I said earlier, as a business owner, as a CEO, this falls on your plate, like it or not. If you get hacked, they're coming after you. They're coming after your money. They're suing you that it's not going anywhere else. And it may trickle down, but your neck is on the line. So damn it. You better know something about this and shameless plug. Just listen to unhacked on a weekly basis. And that base is covered. So, um, guys,
Robert Cioffi (40:40)
Yeah
Justin Shelley (40:43)
That's where we're going to wrap up. We'll go around the room. If you have any final thoughts, can give your key takeaway, your final thought and your sign off. And then we're going to wrap for this week, Mario. We're going to let you go first. Take it away.
Mario Zaki (40:56)
So, you know, just some advice out there to, you know, prospects is you got to do your homework and see what questions you need to ask the people that are going to sit in a room with you. You got to be educated yourself so that you can make an educated decision to protect your company and the livelihood of your family and your employees and their family. ⁓ Do homework, understand what the industry
entails and ask them based on what you found if they're following those frameworks or guidelines. And don't just base it on price or how quickly they can answer the phone. Those are important, but shouldn't be the number one.
Justin Shelley (41:45)
Absolutely. Okay, Brian, punting it over to you.
Bryan Lachapelle (41:47)
All right.
You probably know where I'm to go with this. ⁓ IT is complex. It's wide ranging. There are so many levers that can be pulled in different directions. There's a lot going on and it can't all be done in one day. I like to say if you're going to want to improve your business using cybersecurity or in technology, treat it as a journey. You're not going to get everything done in one day. But if your MSP is meeting you the regular basis,
Justin Shelley (41:50)
Yep, I hope so.
Bryan Lachapelle (42:17)
creating a 90 day action plan. Here are the things we're going to implement this quarter. They're the highest, most important pieces we need to get in place right now, whether it's parts of CIS control or whether it's implementing different security levers. And next quarter, we're going to work on this. And the quarter after that, we're going to work on this. we're just ⁓ adding and improving on a continual basis. Going back to a podcast we had a couple of months ago, if you do that and you can prove that you're improving on a regular basis,
you will be in a much better legal position if you were to be breached and somebody who just put their fingers in your ear and went la la la I don't want to hear it because I don't have time they will find that email where you said I don't have the money for this and they will use it against you right
Justin Shelley (43:02)
As the attorney said, that's the daddy's getting a new boat email. All right, Robert, final thoughts.
Bryan Lachapelle (43:04)
Yeah, ching email. Yeah.
Mario Zaki (43:05)
Yes.
Robert Cioffi (43:10)
yeah, just, maybe two separate thoughts, you know, the advice to the, business owner making a decision about, know, who they're going to select as our IT provider. Remember you're really picking a partner. ⁓ so this is, you know, it's, I don't want to say it's marriage, but it's marriage, right? this isn't just dating, right? You got like, this is a business partner, a serious business partner. So please vet them from a business perspective.
Justin Shelley (43:29)
Pretty much,
Robert Cioffi (43:40)
You know, don't get too hung up on the the technical bits and bytes. And if that's where the conversation is ⁓ completely centered on, then that's probably your biggest red flag. ⁓ We like to ⁓ call our clients on our managed services plan, our business partner. Right. And we actually use that term ⁓ and then try to live up to that as best as we can. For the ⁓ MSPs out there.
Um, the magical acronym, cause we don't have enough acronyms in life. I'm going to throw another one out there. Uh, and that's SRO, right? Uh, self-regulated organization. Uh, I think it's high time that we do become like CPAs, uh, or like, you know, adopt the bar association or the AMA, right? For doctors or, know, so you mentioned some of the others, you can't sell a house without a license. You can't cut hair for it. I know some of you guys don't have hair, but for those of us that have hair, um,
Justin Shelley (44:10)
No, no.
Bryan Lachapelle (44:11)
Right, not enough.
Mario Zaki (44:13)
You
Justin Shelley (44:33)
Hey. Hey!
Robert Cioffi (44:36)
You know, that girl who cuts my hair, she needs a license to do so. And for Pete's sake, think about what we're doing. And there's no license for this. Like, that just seems upside down to me.
Mario Zaki (44:44)
We should start something.
Let's start something.
Robert Cioffi (44:49)
Well, there are a couple of movements ⁓ attempting to do this and not to ⁓ overly plug in one organization, but GTIA, formerly Comtea, has been trying to get that ball moving in the right direction. ⁓ In my opinion, they probably have right now the best chance of it getting done. But this has got to go before, you know, it's potentially got to go before Congress. The last thing we want, is to have government ⁓
Bryan Lachapelle (44:51)
They are.
Agreed.
Robert Cioffi (45:16)
come in and say, okay, we're gonna regulate you now. That would be, that's, you thought what I went through four years ago was a nightmare? That will be a much worse nightmare.
Bryan Lachapelle (45:26)
Self-regulated with a way to go.
Justin Shelley (45:30)
All right. Well, boy, I'm not, I'm not even sure how to follow that there. There's a lot here. There's some doom and gloom for sure. ⁓ but guys we've, we've got to do better and Brian, think it was you. Yeah. We've got, we've got to do a better communicators. but I will say that it's incumbent upon us, the one sitting in this room right now to do better, to, to, to show, ⁓ other, you know, our fellow
Mario Zaki (45:36)
you
Robert Cioffi (45:45)
There's of opportunity out there, Justin. You gotta look positive.
Justin Shelley (45:59)
business partners, as you said, Robert, that there is a safe, a sane way to do this because the system as it sits is insane. It's, it's just complete wackadoo. ⁓ so again, shameless plug business owners, like get educated. If you got nothing else, nowhere else to turn, turn here, you know, if you listen to this every week, you will be able to, and I'm going to, okay, I'm going to, I'm going to prove my point. My,
admin slash business partner slash life partner who does all the editing and promotion and publishing of this show came into this completely uneducated as far as cybersecurity goes and technology at large. and now after listening to episode after episode and promoting and seeing what people pay attention to and listen to and click on, I mean, she might be smarter than me at this point. She can easily speak the language. She knows exactly what she would need to do if she had to go out and, ⁓ sign contracts with an MSP. So.
I mean, like just on your way to work, throw in this podcast. There you go. Problem solved. ⁓ guys, we're going to go ahead and wrap up this week. Robert, thank you as always for joining us. We might have to make you a regular on the show. think, ⁓ really appreciate your insights. Appreciate your time. Okay. Okay. Good. Good. Don't, don't worry. That checks on the way. ⁓ Brian and Mario is always appreciate you being here guys go to, we still have unhacked out live by the way, that website still exists, but I've just kind of been up.
Robert Cioffi (47:07)
My pleasure.
I'm very affordable.
Justin Shelley (47:25)
and improving and go to unhackmybusiness.com with for more information and resources. And I'm making a commitment right now to put together a true, owner's guide on, on really how to figure out how to, how to make that next third MSP decision. So unhackmybusiness.com we'll have that as always, you go to the show notes on your, you know, smartphone, Apple podcast, Spotify, whatever.
And you'll have the links to all of our websites, Brian's, Mario's, and Robert, I don't know, you're off the top of your head, go ahead and read that for me. And then I'll throw it the show notes. Yep. Yep.
Robert Cioffi (48:00)
My domain name, yes?
www.progressivecomputing.com. I know that's a mouthful, but progressivecomputing.com. Yep.
Justin Shelley (48:09)
Hey, that's an easy one. Cool. All
right, guys, click those links and show some love. Otherwise take care. We'll see you next week.
Robert Cioffi (48:17)
Peace.
Mario Zaki (48:18)
Bye guys.
Creators and Guests
